summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/inline
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 07:24:22 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 07:24:22 +0000
commit45d6379135504814ab723b57f0eb8be23393a51d (patch)
treed4f2ec4acca824a8446387a758b0ce4238a4dffa /bin/tests/system/inline
parentInitial commit. (diff)
downloadbind9-45d6379135504814ab723b57f0eb8be23393a51d.tar.xz
bind9-45d6379135504814ab723b57f0eb8be23393a51d.zip
Adding upstream version 1:9.16.44.upstream/1%9.16.44upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/inline')
-rw-r--r--bin/tests/system/inline/clean.sh27
-rw-r--r--bin/tests/system/inline/ns1/named.conf.in36
-rw-r--r--bin/tests/system/inline/ns1/root.db.in59
-rw-r--r--bin/tests/system/inline/ns1/sign.sh26
-rw-r--r--bin/tests/system/inline/ns2/bits.db.in22
-rw-r--r--bin/tests/system/inline/ns2/named.conf.in85
-rw-r--r--bin/tests/system/inline/ns2/nsec3-loop.db.in25
-rw-r--r--bin/tests/system/inline/ns3/include.db.in12
-rw-r--r--bin/tests/system/inline/ns3/master.db.in21
-rw-r--r--bin/tests/system/inline/ns3/master2.db.in23
-rw-r--r--bin/tests/system/inline/ns3/master3.db.in24
-rw-r--r--bin/tests/system/inline/ns3/master4.db.in24
-rw-r--r--bin/tests/system/inline/ns3/master5.db.in24
-rw-r--r--bin/tests/system/inline/ns3/master6.db.in26
-rw-r--r--bin/tests/system/inline/ns3/master7.db.in26
-rw-r--r--bin/tests/system/inline/ns3/named.conf.in179
-rwxr-xr-xbin/tests/system/inline/ns3/sign.sh160
-rw-r--r--bin/tests/system/inline/ns4/named.conf.in33
-rw-r--r--bin/tests/system/inline/ns4/noixfr.db.in22
-rw-r--r--bin/tests/system/inline/ns5/named.conf.post42
-rw-r--r--bin/tests/system/inline/ns5/named.conf.pre39
-rw-r--r--bin/tests/system/inline/ns6/named.conf.in40
-rw-r--r--bin/tests/system/inline/ns7/named.conf.in50
-rwxr-xr-xbin/tests/system/inline/ns7/sign.sh25
-rw-r--r--bin/tests/system/inline/ns8/example.com.db.in21
-rw-r--r--bin/tests/system/inline/ns8/example.db.in26
-rw-r--r--bin/tests/system/inline/ns8/example2.db.in26
-rw-r--r--bin/tests/system/inline/ns8/example3.db.in26
-rw-r--r--bin/tests/system/inline/ns8/named.conf.in162
-rwxr-xr-xbin/tests/system/inline/ns8/sign.sh36
-rw-r--r--bin/tests/system/inline/setup.sh57
-rwxr-xr-xbin/tests/system/inline/tests.sh1488
-rwxr-xr-xbin/tests/system/inline/tests_signed_zone_files.py67
33 files changed, 2959 insertions, 0 deletions
diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh
new file mode 100644
index 0000000..79f3774
--- /dev/null
+++ b/bin/tests/system/inline/clean.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -rf ./*/*.jbk \
+ ./*/*.nzd ./*/*.nzd-lock ./*/*.nzf \
+ ./*/named.conf ./*/named.memstats ./*/named.run* ./*/named.lock \
+ ./*/trusted.conf \
+ ./K* ./*/K* \
+ ./checkecdsa \
+ ./freeze.test* thaw.test* \
+ ./import.key \
+ ././ns*/managed-keys.bind* ./ns*/*.mkeys* \
+ ./*/dsset-* ./*/nzf-* \
+ ./*/*.db ./*/*.db.signed ./*/*.db.jnl ./*/*.db.signed.jnl \
+ ./*.out ./*.out* ./*/*.out ./*/*.out* \
+ ./*/*.bk ./*/*.bk.jnl ./*/*.bk.signed ./*/*.bk.signed.jnl \
+ ns3/a-file ns3/removedkeys
diff --git a/bin/tests/system/inline/ns1/named.conf.in b/bin/tests/system/inline/ns1/named.conf.in
new file mode 100644
index 0000000..da27c58
--- /dev/null
+++ b/bin/tests/system/inline/ns1/named.conf.in
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ dnssec-validation yes;
+};
+
+zone "." {
+ type primary;
+ file "root.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/inline/ns1/root.db.in b/bin/tests/system/inline/ns1/root.db.in
new file mode 100644
index 0000000..915d95b
--- /dev/null
+++ b/bin/tests/system/inline/ns1/root.db.in
@@ -0,0 +1,59 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. IN SOA gson.nominum.com. a.root.servers.nil. (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
+ )
+. NS a.root-servers.nil.
+a.root-servers.nil. A 10.53.0.1
+
+bits. NS ns3.bits.
+bits. NS ns4.bits.
+ns3.bits. A 10.53.0.3
+ns4.bits. A 10.53.0.4
+
+noixfr. NS ns3.noixfr.
+ns3.noixfr. A 10.53.0.3
+
+master. NS ns3.master.
+ns3.master. A 10.53.0.3
+
+dynamic. NS ns3.dynamic.
+ns3.dynamic. A 10.53.0.3
+
+updated. NS ns3.updated.
+ns3.updated. A 10.53.0.3
+
+expired. NS ns3.expired.
+ns3.expired. A 10.53.0.3
+
+retransfer. NS ns3.retransfer.
+ns3.retransfer. A 10.53.0.3
+
+nsec3. NS ns3.nsec3.
+ns3.nsec3. A 10.53.0.3
+
+externalkey. NS ns3.externalkey.
+ns3.externalkey. A 10.53.0.3
+
+retransfer3. NS ns3.retransfer.
+ns3.retransfer3. A 10.53.0.3
+
+inactiveksk. NS ns3.inactiveksk.
+ns3.inactiveksk. A 10.53.0.3
+
+inactivezsk. NS ns3.inactivezsk.
+ns3.inactivezsk. A 10.53.0.3
diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh
new file mode 100644
index 0000000..5e024c2
--- /dev/null
+++ b/bin/tests/system/inline/ns1/sign.sh
@@ -0,0 +1,26 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=.
+rm -f K.+*+*.key
+rm -f K.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out
+[ $? = 0 ] || cat signer.out
+
+keyfile_to_static_ds $keyname > trusted.conf
+cp trusted.conf ../ns6/trusted.conf
diff --git a/bin/tests/system/inline/ns2/bits.db.in b/bin/tests/system/inline/ns2/bits.db.in
new file mode 100644
index 0000000..2652047
--- /dev/null
+++ b/bin/tests/system/inline/ns2/bits.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns2 . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns3
+ns2 A 10.53.0.2
+ns3 A 10.53.0.3
diff --git a/bin/tests/system/inline/ns2/named.conf.in b/bin/tests/system/inline/ns2/named.conf.in
new file mode 100644
index 0000000..3ad6d96
--- /dev/null
+++ b/bin/tests/system/inline/ns2/named.conf.in
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+include "../../common/rndc.key";
+
+controls {
+ inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ notify-delay 0;
+ allow-new-zones yes;
+};
+
+zone "bits" {
+ type primary;
+ file "bits.db";
+ allow-update { any; };
+};
+
+zone "retransfer" {
+ type primary;
+ file "retransfer.db";
+ allow-update { any; };
+ notify no;
+};
+
+zone "retransfer3" {
+ type primary;
+ file "retransfer3.db";
+ allow-update { any; };
+ allow-transfer { none; }; // changed dynamically by tests.sh
+ notify no;
+};
+
+zone "nsec3-loop" {
+ type primary;
+ file "nsec3-loop.db";
+ notify no;
+};
+
+zone "inactiveksk" {
+ type primary;
+ file "inactiveksk.db";
+ allow-update { any; };
+};
+
+zone "inactivezsk" {
+ type primary;
+ file "inactivezsk.db";
+ allow-update { any; };
+};
+
+zone "nokeys" {
+ type primary;
+ file "nokeys.db";
+ allow-update { any; };
+};
+
+zone "removedkeys-secondary" {
+ type primary;
+ file "removedkeys-secondary.db";
+ allow-update { any; };
+};
diff --git a/bin/tests/system/inline/ns2/nsec3-loop.db.in b/bin/tests/system/inline/ns2/nsec3-loop.db.in
new file mode 100644
index 0000000..d12af8d
--- /dev/null
+++ b/bin/tests/system/inline/ns2/nsec3-loop.db.in
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; NOTE: This zone's data has been crafted in order to reproduce a very specific
+; scenario (see ns7/named.conf for more details). Please do not modify this
+; file.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns2 . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ns2 A 10.53.0.2
diff --git a/bin/tests/system/inline/ns3/include.db.in b/bin/tests/system/inline/ns3/include.db.in
new file mode 100644
index 0000000..c46a6a8
--- /dev/null
+++ b/bin/tests/system/inline/ns3/include.db.in
@@ -0,0 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+f A 10.0.0.7
diff --git a/bin/tests/system/inline/ns3/master.db.in b/bin/tests/system/inline/ns3/master.db.in
new file mode 100644
index 0000000..4d30cf6
--- /dev/null
+++ b/bin/tests/system/inline/ns3/master.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns3 . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns3
+ns3 A 10.53.0.3
diff --git a/bin/tests/system/inline/ns3/master2.db.in b/bin/tests/system/inline/ns3/master2.db.in
new file mode 100644
index 0000000..24a0666
--- /dev/null
+++ b/bin/tests/system/inline/ns3/master2.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns3 . (
+ 2000042408 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns3
+ns3 A 10.53.0.3
+
+e A 10.0.0.5
diff --git a/bin/tests/system/inline/ns3/master3.db.in b/bin/tests/system/inline/ns3/master3.db.in
new file mode 100644
index 0000000..f3062c3
--- /dev/null
+++ b/bin/tests/system/inline/ns3/master3.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns3 . (
+ 2000042409 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns3
+ns3 A 10.53.0.3
+
+c A 10.0.0.3
+e A 10.0.0.5
diff --git a/bin/tests/system/inline/ns3/master4.db.in b/bin/tests/system/inline/ns3/master4.db.in
new file mode 100644
index 0000000..737e2e2
--- /dev/null
+++ b/bin/tests/system/inline/ns3/master4.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns3 hostmaster. (
+ 2000042410 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns3
+ns3 A 10.53.0.3
+
+c A 10.0.0.3
+e A 10.0.0.5
diff --git a/bin/tests/system/inline/ns3/master5.db.in b/bin/tests/system/inline/ns3/master5.db.in
new file mode 100644
index 0000000..a1e1300
--- /dev/null
+++ b/bin/tests/system/inline/ns3/master5.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns3 . (
+ 2000042411 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns3
+ns3 A 10.53.0.3
+
+c A 10.0.0.3
+e A 10.0.0.5
diff --git a/bin/tests/system/inline/ns3/master6.db.in b/bin/tests/system/inline/ns3/master6.db.in
new file mode 100644
index 0000000..de3e651
--- /dev/null
+++ b/bin/tests/system/inline/ns3/master6.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns3 . (
+ 2000042412 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns3
+ns3 A 10.53.0.3
+
+c A 10.0.0.3
+e A 10.0.0.5
+
+$INCLUDE missingfile.db
diff --git a/bin/tests/system/inline/ns3/master7.db.in b/bin/tests/system/inline/ns3/master7.db.in
new file mode 100644
index 0000000..a3e33e7
--- /dev/null
+++ b/bin/tests/system/inline/ns3/master7.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns3 . (
+ 2000042412 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns3
+ns3 A 10.53.0.3
+
+c A 10.0.0.3
+e A 10.0.0.5
+
+$INCLUDE include.db
diff --git a/bin/tests/system/inline/ns3/named.conf.in b/bin/tests/system/inline/ns3/named.conf.in
new file mode 100644
index 0000000..dc14fe9
--- /dev/null
+++ b/bin/tests/system/inline/ns3/named.conf.in
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+include "../../common/rndc.key";
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ try-tcp-refresh no;
+ notify-delay 0;
+ allow-new-zones yes;
+};
+
+zone "bits" {
+ type secondary;
+ primaries { 10.53.0.2; };
+ inline-signing yes;
+ auto-dnssec maintain;
+ allow-update-forwarding { any; };
+ file "bits.bk";
+ sig-signing-signatures 1; // force incremental processing
+};
+
+server 10.53.0.4 { request-ixfr no; };
+
+zone "noixfr" {
+ type secondary;
+ primaries { 10.53.0.4; };
+ inline-signing yes;
+ auto-dnssec maintain;
+ allow-update-forwarding { any; };
+ file "noixfr.bk";
+};
+
+zone "master" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "master.db";
+ notify explicit;
+ also-notify {
+ 10.53.0.3;
+ };
+};
+
+zone "dynamic" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ allow-update { any; };
+ file "dynamic.db";
+};
+
+zone "updated" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ allow-update { none; };
+ file "updated.db";
+};
+
+zone "expired" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ allow-update { any; };
+ file "expired.db";
+};
+
+zone "retransfer" {
+ type secondary;
+ primaries { 10.53.0.2; };
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "retransfer.bk";
+};
+
+zone "nsec3" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ allow-update { any; };
+ file "nsec3.db";
+};
+
+zone "externalkey" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ allow-update { any; };
+ file "externalkey.db";
+};
+
+zone "retransfer3" {
+ type secondary;
+ primaries { 10.53.0.2; };
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "retransfer3.bk";
+};
+
+zone "inactiveksk" {
+ type secondary;
+ primaries { 10.53.0.2; };
+ inline-signing yes;
+ auto-dnssec maintain;
+ dnssec-dnskey-kskonly yes;
+ file "inactiveksk.bk";
+};
+
+zone "inactivezsk" {
+ type secondary;
+ primaries { 10.53.0.2; };
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "inactivezsk.bk";
+};
+
+zone "nokeys" {
+ type secondary;
+ primaries { 10.53.0.2; };
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "nokeys.bk";
+};
+
+zone "delayedkeys" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "delayedkeys.db";
+};
+
+zone "removedkeys-primary" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ allow-update { any; };
+ also-notify { 10.53.0.2; };
+ file "removedkeys-primary.db";
+};
+
+zone "removedkeys-secondary" {
+ type secondary;
+ primaries { 10.53.0.2; };
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "removedkeys-secondary.bk";
+};
+
+zone "unsupported" {
+ type primary;
+ file "unsupported.db";
+ inline-signing yes;
+ auto-dnssec maintain;
+};
diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh
new file mode 100755
index 0000000..7e33046
--- /dev/null
+++ b/bin/tests/system/inline/ns3/sign.sh
@@ -0,0 +1,160 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+# Fake an unsupported key
+unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone unsupported)
+awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp
+mv ${unsupportedkey}.tmp ${unsupportedkey}.key
+
+zone=bits
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=noixfr
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=master
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=dynamic
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=updated
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null
+cp master2.db.in updated.db
+
+# signatures are expired and should be regenerated on startup
+zone=expired
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null
+
+zone=retransfer
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=nsec3
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=retransfer3
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=inactiveksk
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 -f KSK $zone)
+keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=inactivezsk
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone)
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
+zone=delayedkeys
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+# Keys for the "delayedkeys" zone should not be initially accessible.
+mv K${zone}.+*+*.* ../
+
+zone=removedkeys-primary
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+
+zone=removedkeys-secondary
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+
+for s in a c d h k l m q z
+do
+ zone=test-$s
+ keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+done
+
+for s in b f i o p t v
+do
+ zone=test-$s
+ keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+ keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+done
+
+zone=externalkey
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+
+for alg in ${DEFAULT_ALGORITHM} ${ALTERNATIVE_ALGORITHM}
+do
+ k1=$($KEYGEN -q -a $alg -n zone -f KSK $zone)
+ k2=$($KEYGEN -q -a $alg -n zone $zone)
+ k3=$($KEYGEN -q -a $alg -n zone $zone)
+ k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone)
+ $DSFROMKEY -T 1200 $k4 >> ../ns1/root.db
+
+ # Convert k1 and k2 in to External Keys.
+ rm -f $k1.private
+ mv $k1.key a-file
+ $IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1 ||
+ ( echo_i "importkey failed: $alg" )
+ rm -f $k2.private
+ mv $k2.key a-file
+ $IMPORTKEY -f a-file $zone > /dev/null 2>&1 ||
+ ( echo_i "importkey failed: $alg" )
+done
diff --git a/bin/tests/system/inline/ns4/named.conf.in b/bin/tests/system/inline/ns4/named.conf.in
new file mode 100644
index 0000000..fed200a
--- /dev/null
+++ b/bin/tests/system/inline/ns4/named.conf.in
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+ query-source address 10.53.0.4;
+ notify-source 10.53.0.4;
+ transfer-source 10.53.0.4;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.4; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ notify-delay 0;
+};
+
+zone "noixfr" {
+ type primary;
+ file "noixfr.db";
+ allow-update { any; };
+};
diff --git a/bin/tests/system/inline/ns4/noixfr.db.in b/bin/tests/system/inline/ns4/noixfr.db.in
new file mode 100644
index 0000000..c40f011
--- /dev/null
+++ b/bin/tests/system/inline/ns4/noixfr.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns4 . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns3
+ns4 A 10.53.0.4
+ns3 A 10.53.0.3
diff --git a/bin/tests/system/inline/ns5/named.conf.post b/bin/tests/system/inline/ns5/named.conf.post
new file mode 100644
index 0000000..f454b35
--- /dev/null
+++ b/bin/tests/system/inline/ns5/named.conf.post
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+include "../../common/rndc.key";
+
+controls {
+ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.5;
+ notify-source 10.53.0.5;
+ transfer-source 10.53.0.5;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.5; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ notify-delay 0;
+ servfail-ttl 0;
+};
+
+zone "bits" {
+ type secondary;
+ primaries { 10.53.0.2; };
+ file "bits.bk";
+ auto-dnssec maintain;
+ inline-signing yes;
+};
diff --git a/bin/tests/system/inline/ns5/named.conf.pre b/bin/tests/system/inline/ns5/named.conf.pre
new file mode 100644
index 0000000..91844ac
--- /dev/null
+++ b/bin/tests/system/inline/ns5/named.conf.pre
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+include "../../common/rndc.key";
+
+controls {
+ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.5;
+ notify-source 10.53.0.5;
+ transfer-source 10.53.0.5;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.5; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ notify-delay 0;
+};
+
+zone "bits" {
+ type secondary;
+ primaries { 10.53.0.2; };
+ file "bits.bk";
+};
diff --git a/bin/tests/system/inline/ns6/named.conf.in b/bin/tests/system/inline/ns6/named.conf.in
new file mode 100644
index 0000000..215fd58
--- /dev/null
+++ b/bin/tests/system/inline/ns6/named.conf.in
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS6
+
+include "../../common/rndc.key";
+
+controls {
+ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.6;
+ notify-source 10.53.0.6;
+ transfer-source 10.53.0.6;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.6; };
+ listen-on-v6 { none; };
+ recursion yes;
+ notify yes;
+ notify-delay 0;
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/inline/ns7/named.conf.in b/bin/tests/system/inline/ns7/named.conf.in
new file mode 100644
index 0000000..3a0cf86
--- /dev/null
+++ b/bin/tests/system/inline/ns7/named.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * NS7
+ *
+ * NOTE: This named instance is used to reproduce a scenario which involves a
+ * number of functions getting called in a very specific order which results in
+ * an infinite loop while iterating over NSEC3 red-black tree. Ensuring this
+ * happens requires carefully setting the number of signing keys, NSEC3
+ * parameters (number of iterations and salt value), zone data and named
+ * configuration. Changing any of these and/or influencing this instance's
+ * behavior (e.g. by sending extra queries to it) might render this test moot
+ * as it will no longer be able to reproduce the exact scenario it attempts to.
+ *
+ * Given the above, please do not use this instance for any other test than the
+ * one it was meant for.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+ inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.7;
+ notify-source 10.53.0.7;
+ transfer-source 10.53.0.7;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.7; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify no;
+ try-tcp-refresh no;
+ allow-new-zones yes;
+ sig-signing-nodes 100;
+ sig-signing-signatures 10;
+};
diff --git a/bin/tests/system/inline/ns7/sign.sh b/bin/tests/system/inline/ns7/sign.sh
new file mode 100755
index 0000000..462d6ad
--- /dev/null
+++ b/bin/tests/system/inline/ns7/sign.sh
@@ -0,0 +1,25 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+# NOTE: The number of signing keys generated below is not coincidental. More
+# details can be found in the comment inside ns7/named.conf.
+
+zone=nsec3-loop
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
diff --git a/bin/tests/system/inline/ns8/example.com.db.in b/bin/tests/system/inline/ns8/example.com.db.in
new file mode 100644
index 0000000..dfc7630
--- /dev/null
+++ b/bin/tests/system/inline/ns8/example.com.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns8 . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns8
+ns8 A 10.53.0.8
diff --git a/bin/tests/system/inline/ns8/example.db.in b/bin/tests/system/inline/ns8/example.db.in
new file mode 100644
index 0000000..3ebf398
--- /dev/null
+++ b/bin/tests/system/inline/ns8/example.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns8
+ns8 A 10.53.0.8
+
+a A 10.0.0.1
+b A 10.0.0.2
+c A 10.0.0.3
diff --git a/bin/tests/system/inline/ns8/example2.db.in b/bin/tests/system/inline/ns8/example2.db.in
new file mode 100644
index 0000000..1f42c3a
--- /dev/null
+++ b/bin/tests/system/inline/ns8/example2.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA mname1. . (
+ 2 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns8
+ns8 A 10.53.0.8
+
+a A 10.0.0.1
+b A 10.0.0.2
+c A 10.0.0.3
diff --git a/bin/tests/system/inline/ns8/example3.db.in b/bin/tests/system/inline/ns8/example3.db.in
new file mode 100644
index 0000000..a9e3daa
--- /dev/null
+++ b/bin/tests/system/inline/ns8/example3.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 400
+@ IN SOA mname1. . (
+ 3 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns8
+ns8 A 10.53.0.8
+
+a A 10.0.0.1
+b A 10.0.0.2
+c A 10.0.0.3
diff --git a/bin/tests/system/inline/ns8/named.conf.in b/bin/tests/system/inline/ns8/named.conf.in
new file mode 100644
index 0000000..27590da
--- /dev/null
+++ b/bin/tests/system/inline/ns8/named.conf.in
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS8
+
+include "../../common/rndc.key";
+
+controls {
+ inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.8;
+ notify-source 10.53.0.8;
+ transfer-source 10.53.0.8;
+ port @PORT@;
+ pid-file "named.pid";
+ session-keyfile "session.key";
+ listen-on { 10.53.0.8; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ try-tcp-refresh no;
+ notify-delay 0;
+ allow-new-zones yes;
+};
+
+zone "example01.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example01.com.db";
+};
+
+zone "example02.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example02.com.db";
+};
+
+zone "example03.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example03.com.db";
+};
+
+zone "example04.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example04.com.db";
+};
+
+zone "example05.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example05.com.db";
+};
+
+zone "example06.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example06.com.db";
+};
+
+zone "example07.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example07.com.db";
+};
+
+zone "example08.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example08.com.db";
+};
+
+zone "example09.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example09.com.db";
+};
+
+zone "example10.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example10.com.db";
+};
+
+zone "example11.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example11.com.db";
+};
+
+zone "example12.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example12.com.db";
+};
+
+zone "example13.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example13.com.db";
+};
+
+zone "example14.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example14.com.db";
+};
+
+zone "example15.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example15.com.db";
+};
+
+zone "example16.com" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example16.com.db";
+};
+
+zone example {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example.db";
+};
+
+zone "unsigned-serial-test" {
+ type primary;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "unsigned-serial-test.db";
+};
diff --git a/bin/tests/system/inline/ns8/sign.sh b/bin/tests/system/inline/ns8/sign.sh
new file mode 100755
index 0000000..cedad7c
--- /dev/null
+++ b/bin/tests/system/inline/ns8/sign.sh
@@ -0,0 +1,36 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+for zone in example01.com example02.com example03.com example04.com \
+ example05.com example06.com example07.com example08.com \
+ example09.com example10.com example11.com example12.com \
+ example13.com example14.com example15.com example16.com
+do
+ rm -f K${zone}.+*+*.key
+ rm -f K${zone}.+*+*.private
+ keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone)
+ keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone)
+ cp example.com.db.in ${zone}.db
+ $SIGNER -S -T 3600 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
+done
+
+for zone in example unsigned-serial-test; do
+ rm -f K${zone}.+*+*.key
+ rm -f K${zone}.+*+*.private
+ keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone)
+ keyname=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone)
+ cp example.db.in ${zone}.db
+done
diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh
new file mode 100644
index 0000000..b31606c
--- /dev/null
+++ b/bin/tests/system/inline/setup.sh
@@ -0,0 +1,57 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+cp ns1/root.db.in ns1/root.db
+
+touch ns2/trusted.conf
+cp ns2/nsec3-loop.db.in ns2/nsec3-loop.db
+cp ns2/bits.db.in ns2/bits.db
+cp ns2/bits.db.in ns2/inactiveksk.db
+cp ns2/bits.db.in ns2/inactivezsk.db
+cp ns2/bits.db.in ns2/nokeys.db
+cp ns2/bits.db.in ns2/removedkeys-secondary.db
+cp ns2/bits.db.in ns2/retransfer.db
+cp ns2/bits.db.in ns2/retransfer3.db
+
+cp ns3/master.db.in ns3/master.db
+cp ns3/master.db.in ns3/dynamic.db
+cp ns3/master.db.in ns3/updated.db
+cp ns3/master.db.in ns3/unsupported.db
+cp ns3/master.db.in ns3/expired.db
+cp ns3/master.db.in ns3/nsec3.db
+cp ns3/master.db.in ns3/externalkey.db
+cp ns3/master.db.in ns3/delayedkeys.db
+cp ns3/master.db.in ns3/removedkeys-primary.db
+cp ns3/include.db.in ns3/include.db
+
+mkdir ns3/removedkeys
+
+touch ns4/trusted.conf
+cp ns4/noixfr.db.in ns4/noixfr.db
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.pre ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
+
+(cd ns3; $SHELL -e sign.sh)
+(cd ns1; $SHELL -e sign.sh)
+(cd ns7; $SHELL -e sign.sh)
+(cd ns8; $SHELL -e sign.sh)
diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh
new file mode 100755
index 0000000..2242d79
--- /dev/null
+++ b/bin/tests/system/inline/tests.sh
@@ -0,0 +1,1488 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+DIGOPTS="+tcp +dnssec -p ${PORT}"
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
+
+dig_with_opts() {
+ $DIG $DIGOPTS "$@"
+}
+
+rndccmd() {
+ $RNDCCMD "$@"
+}
+
+wait_for_serial() (
+ $DIG $DIGOPTS "@$1" "$2" SOA > "$4"
+ serial=$(awk '$4 == "SOA" { print $7 }' "$4")
+ [ "$3" -eq "${serial:--1}" ]
+)
+
+status=0
+n=0
+
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1
+
+for i in 1 2 3 4 5 6 7 8 9 0
+do
+ nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.)
+ test "$nsec3param" = "1 0 0 -" && break
+ sleep 1
+done
+
+n=$((n + 1))
+echo_i "checking that an unsupported algorithm is not used for signing ($n)"
+ret=0
+grep -q "algorithm is unsupported" ns3/named.run || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that rrsigs are replaced with ksk only ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 axfr nsec3. |
+ awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that the zone is signed on initial transfer ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
+do
+ ret=0
+ $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
+ keys=$(grep '^Done signing' signing.out.test$n | wc -l)
+ [ $keys = 2 ] || ret=1
+ if [ $ret = 0 ]; then break; fi
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking expired signatures are updated on load ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n
+expiry=$(awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n)
+[ "$expiry" = "20110101000000" ] && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking removal of private type record via 'rndc signing -clear' ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
+keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n)
+for key in $keys; do
+ $RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1
+ break; # We only want to remove 1 record for now.
+done 2>&1 |sed 's/^/ns3 /' | cat_i
+
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ans=0
+ $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
+ num=$(grep "Done signing with" signing.out.test$n | wc -l)
+ [ $num = 1 ] && break
+ sleep 1
+done
+[ $ans = 0 ] || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking private type was properly signed ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n
+grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1
+
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ans=0
+ $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
+ grep "No signing records found" signing.out.test$n > /dev/null || ans=1
+ [ $ans = 1 ] || break
+ sleep 1
+done
+[ $ans = 0 ] || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking negative private type response was properly signed ($n)"
+ret=0
+sleep 1
+$DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n
+grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone bits
+server 10.53.0.2 ${PORT}
+update add added.bits 0 A 1.2.3.4
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking that the record is added on the hidden primary ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 added.bits A > dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that update has been transferred and has been signed ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ret=0
+ $DIG $DIGOPTS @10.53.0.3 added.bits A > dig.out.ns3.test$n
+ grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+ if [ $ret = 0 ]; then break; fi
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone bits
+server 10.53.0.2 ${PORT}
+update add bits 0 SOA ns2.bits. . 2011072400 20 20 1814400 3600
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2011072400" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ret=0
+ $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
+ grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+ grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
+ if [ $ret = 0 ]; then break; fi
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that the zone is signed on initial transfer, noixfr ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
+do
+ ret=0
+ $RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n 2>&1
+ keys=$(grep '^Done signing' signing.out.test$n | wc -l)
+ [ $keys = 2 ] || ret=1
+ if [ $ret = 0 ]; then break; fi
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone noixfr
+server 10.53.0.4 ${PORT}
+update add added.noixfr 0 A 1.2.3.4
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking that the record is added on the hidden primary, noixfr ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.4 added.noixfr A > dig.out.ns4.test$n
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that update has been transferred and has been signed, noixfr ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
+do
+ ret=0
+ $DIG $DIGOPTS @10.53.0.3 added.noixfr A > dig.out.ns3.test$n
+ grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+ if [ $ret = 0 ]; then break; fi
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone noixfr
+server 10.53.0.4 ${PORT}
+update add noixfr 0 SOA ns4.noixfr. . 2011072400 20 20 1814400 3600
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072400) serial on hidden primary, noixfr ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
+grep "2011072400" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ret=0
+ $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
+ grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+ grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
+ if [ $ret = 0 ]; then break; fi
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that the primary zone signed on initial load ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ret=0
+ $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
+ keys=$(grep '^Done signing' signing.out.test$n | wc -l)
+ [ $keys = 2 ] || ret=1
+ if [ $ret = 0 ]; then break; fi
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking removal of private type record via 'rndc signing -clear' (primary) ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
+keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n)
+for key in $keys; do
+ $RNDCCMD 10.53.0.3 signing -clear ${key} master > /dev/null || ret=1
+ break; # We only want to remove 1 record for now.
+done 2>&1 |sed 's/^/ns3 /' | cat_i
+
+for i in 1 2 3 4 5 6 7 8 9
+do
+ ans=0
+ $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
+ num=$(grep "Done signing with" signing.out.test$n | wc -l)
+ [ $num = 1 ] && break
+ sleep 1
+done
+[ $ans = 0 ] || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking private type was properly signed (primary) ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.6 master TYPE65534 > dig.out.ns6.test$n
+grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking removal of remaining private type record via 'rndc signing -clear' (primary) ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 signing -clear all master > /dev/null || ret=1
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ans=0
+ $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
+ grep "No signing records found" signing.out.test$n > /dev/null || ans=1
+ [ $ans = 1 ] || break
+ sleep 1
+done
+[ $ans = 0 ] || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check adding of record to unsigned primary ($n)"
+ret=0
+cp ns3/master2.db.in ns3/master.db
+rndc_reload ns3 10.53.0.3 master
+for i in 1 2 3 4 5 6 7 8 9
+do
+ ans=0
+ $DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns3.test$n
+ grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
+ [ $ans = 1 ] || break
+ sleep 1
+done
+[ $ans = 0 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check adding record fails when SOA serial not changed ($n)"
+ret=0
+echo "c A 10.0.0.3" >> ns3/master.db
+rndc_reload ns3 10.53.0.3
+sleep 1
+$DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n
+grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check adding record works after updating SOA serial ($n)"
+ret=0
+cp ns3/master3.db.in ns3/master.db
+$RNDCCMD 10.53.0.3 reload master 2>&1 | sed 's/^/ns3 /' | cat_i
+for i in 1 2 3 4 5 6 7 8 9
+do
+ ans=0
+ $DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n
+ grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
+ [ $ans = 1 ] || break
+ sleep 1
+done
+[ $ans = 0 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check the added record was properly signed ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns6.test$n
+grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1
+grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1
+grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that the dynamic primary zone signed on initial load ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ret=0
+ $RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n 2>&1
+ keys=$(grep '^Done signing' signing.out.test$n | wc -l)
+ [ $keys = 2 ] || ret=1
+ if [ $ret = 0 ]; then break; fi
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking primary zone that was updated while offline is correct ($n)"
+ret=0
+$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns2.soa.test$n
+serial=$(awk '{print $3}' dig.out.ns2.soa.test$n)
+# serial should have changed
+[ "$serial" = "2000042407" ] && ret=1
+# e.updated should exist and should be signed
+$DIG $DIGOPTS @10.53.0.3 e.updated A > dig.out.ns3.test$n
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+# updated.db.signed.jnl should exist, should have the source serial
+# of master2.db, and should show a minimal diff: no more than 8 added
+# records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records
+# (SOA/RRSIG, NSEC/RRSIG).
+$JOURNALPRINT ns3/updated.db.signed.jnl >journalprint.out.test$n
+serial=$(awk '/Source serial =/ {print $4}' journalprint.out.test$n)
+[ "$serial" = "2000042408" ] || ret=1
+diffsize=$(wc -l < journalprint.out.test$n)
+[ "$diffsize" -le 13 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking adding of record to unsigned primary using UPDATE ($n)"
+ret=0
+
+[ -f ns3/dynamic.db.jnl ] && { ret=1 ; echo_i "journal exists (pretest)" ; }
+
+$NSUPDATE << EOF
+zone dynamic
+server 10.53.0.3 ${PORT}
+update add e.dynamic 0 A 1.2.3.4
+send
+EOF
+
+[ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo_i "journal does not exist (posttest)" ; }
+
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ans=0
+ $DIG $DIGOPTS @10.53.0.3 e.dynamic > dig.out.ns3.test$n
+ grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
+ grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1
+ [ $ans = 0 ] && break
+ sleep 1
+done
+[ $ans = 0 ] || { ret=1; echo_i "signed record not found"; cat dig.out.ns3.test$n ; }
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "stop bump in the wire signer server ($n)"
+ret=0
+stop_server ns3 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "restart bump in the wire signer server ($n)"
+ret=0
+start_server --noclean --restart --port ${PORT} ns3 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone bits
+server 10.53.0.2 ${PORT}
+update add bits 0 SOA ns2.bits. . 2011072450 20 20 1814400 3600
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2011072450" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ret=0
+ $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
+ grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+ grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
+ if [ $ret = 0 ]; then break; fi
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone noixfr
+server 10.53.0.4 ${PORT}
+update add noixfr 0 SOA ns4.noixfr. . 2011072450 20 20 1814400 3600
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072450) serial on hidden primary, noixfr ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
+grep "2011072450" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ret=0
+ $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
+ grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+ grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
+ if [ $ret = 0 ]; then break; fi
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone bits
+server 10.53.0.3 ${PORT}
+update add bits 0 SOA ns2.bits. . 2011072460 20 20 1814400 3600
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking forwarded update on hidden primary ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 bits SOA > dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+grep "2011072460" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking forwarded update on signed zone ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ret=0
+ $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
+ grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+ grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1
+ if [ $ret = 0 ]; then break; fi
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone noixfr
+server 10.53.0.3 ${PORT}
+update add noixfr 0 SOA ns4.noixfr. . 2011072460 20 20 1814400 3600
+send
+EOF
+
+n=$((n + 1))
+echo_i "checking forwarded update on hidden primary, noixfr ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.4 noixfr SOA > dig.out.ns4.test$n
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
+grep "2011072460" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking forwarded update on signed zone, noixfr ($n)"
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ret=0
+ $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
+ grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+ grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1
+ if [ $ret = 0 ]; then break; fi
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+ret=0
+n=$((n + 1))
+echo_i "checking turning on of inline signing in a secondary zone via reload ($n)"
+$DIG $DIGOPTS @10.53.0.5 +dnssec bits SOA > dig.out.ns5.test$n
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "setup broken"; fi
+status=$((status + ret))
+copy_setports ns5/named.conf.post ns5/named.conf
+(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} bits) > /dev/null 2>&1
+(cd ns5; $KEYGEN -q -a ${DEFAULT_ALGORITHM} -f KSK bits) > /dev/null 2>&1
+rndc_reload ns5 10.53.0.5
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ret=0
+ $DIG $DIGOPTS @10.53.0.5 bits SOA > dig.out.ns5.test$n
+ grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns5.test$n > /dev/null || ret=1
+ if [ $ret = 0 ]; then break; fi
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking rndc freeze/thaw of dynamic inline zone no change ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || { echo_i "/' < freeze.test$n"; ret=1; }
+sleep 1
+$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || { echo_i "rndc thaw dynamic failed" ; ret=1; }
+sleep 1
+grep "zone dynamic/IN (unsigned): ixfr-from-differences: unchanged" ns3/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+
+n=$((n + 1))
+echo_i "checking rndc freeze/thaw of dynamic inline zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 freeze dynamic > freeze.test$n 2>&1 || ret=1
+sleep 1
+awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
+ { print; }
+ END { print "freeze1.dynamic. 0 TXT freeze1"; } ' ns3/dynamic.db > ns3/dynamic.db.new
+mv ns3/dynamic.db.new ns3/dynamic.db
+$RNDCCMD 10.53.0.3 thaw dynamic > thaw.test$n 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check added record freeze1.dynamic ($n)"
+for i in 1 2 3 4 5 6 7 8 9
+do
+ ret=0
+ $DIG $DIGOPTS @10.53.0.3 freeze1.dynamic TXT > dig.out.ns3.test$n
+ grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+ test $ret = 0 && break
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# allow 1 second so that file time stamps change
+sleep 1
+
+n=$((n + 1))
+echo_i "checking rndc freeze/thaw of server ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 freeze > freeze.test$n 2>&1 || ret=1
+sleep 1
+awk '$2 == ";" && $3 ~ /serial/ { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
+ { print; }
+ END { print "freeze2.dynamic. 0 TXT freeze2"; } ' ns3/dynamic.db > ns3/dynamic.db.new
+mv ns3/dynamic.db.new ns3/dynamic.db
+$RNDCCMD 10.53.0.3 thaw > thaw.test$n 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check added record freeze2.dynamic ($n)"
+for i in 1 2 3 4 5 6 7 8 9
+do
+ ret=0
+ $DIG $DIGOPTS @10.53.0.3 freeze2.dynamic TXT > dig.out.ns3.test$n
+ grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+ test $ret = 0 && break
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check rndc reload allows reuse of inline-signing zones ($n)"
+ret=0
+{ $RNDCCMD 10.53.0.3 reload 2>&1 || ret=1 ; } | sed 's/^/ns3 /' | cat_i
+grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check rndc sync removes both signed and unsigned journals ($n)"
+ret=0
+[ -f ns3/dynamic.db.jnl ] || ret=1
+[ -f ns3/dynamic.db.signed.jnl ] || ret=1
+$RNDCCMD 10.53.0.3 sync -clean dynamic 2>&1 || ret=1
+[ -f ns3/dynamic.db.jnl ] && ret=1
+[ -f ns3/dynamic.db.signed.jnl ] && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+$NSUPDATE << EOF
+zone retransfer
+server 10.53.0.2 ${PORT}
+update add added.retransfer 0 A 1.2.3.4
+send
+
+EOF
+
+n=$((n + 1))
+echo_i "checking that the retransfer record is added on the hidden primary ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 added.retransfer A > dig.out.ns2.test$n
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that the change has not been transferred due to notify ($n)"
+ret=0
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+ ans=0
+ $DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n
+ grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
+ [ $ans = 0 ] && break
+ sleep 1
+done
+if [ $ans != 1 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check rndc retransfer of a inline secondary zone works ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 retransfer retransfer 2>&1 || ret=1
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+ ans=0
+ $DIG $DIGOPTS @10.53.0.3 added.retransfer A > dig.out.ns3.test$n
+ grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
+ [ $ans = 0 ] && break
+ sleep 1
+done
+[ $ans = 1 ] && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check 'rndc signing -nsec3param' requests are queued for zones which are not loaded ($n)"
+ret=0
+# The "retransfer3" zone is configured with "allow-transfer { none; };" on ns2,
+# which means it should not yet be available on ns3.
+$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA > dig.out.ns3.pre.test$n
+grep "status: SERVFAIL" dig.out.ns3.pre.test$n > /dev/null || ret=1
+# Switch the zone to NSEC3. An "NSEC3 -> NSEC -> NSEC3" sequence is used purely
+# to test that multiple queued "rndc signing -nsec3param" requests are handled
+# properly.
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
+# Reconfigure ns2 to allow outgoing transfers for the "retransfer3" zone.
+sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf > ns2/named.conf.new
+mv ns2/named.conf.new ns2/named.conf
+$RNDCCMD 10.53.0.2 reconfig || ret=1
+# Request ns3 to retransfer the "retransfer3" zone.
+$RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1
+# Check whether "retransfer3" uses NSEC3 as requested.
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+ ret=0
+ $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i
+ grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ret=1
+ grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ret=1
+ test $ret -eq 0 && break
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check rndc retransfer of a inline nsec3 secondary retains nsec3 ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+ ans=0
+ $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n
+ grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1
+ grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1
+ [ $ans = 0 ] && break
+ sleep 1
+done
+$RNDCCMD 10.53.0.3 retransfer retransfer3 2>&1 || ret=1
+for i in 0 1 2 3 4 5 6 7 8 9
+do
+ ans=0
+ $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n
+ grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1
+ grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1
+ [ $ans = 0 ] && break
+ sleep 1
+done
+[ $ans = 1 ] && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# NOTE: The test below should be considered fragile. More details can be found
+# in the comment inside ns7/named.conf.
+n=$((n + 1))
+echo_i "check rndc retransfer of a inline nsec3 secondary does not trigger an infinite loop ($n)"
+ret=0
+zone=nsec3-loop
+# Add secondary zone using rndc
+$RNDCCMD 10.53.0.7 addzone $zone \
+ '{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };'
+# Wait until secondary zone is fully signed using NSEC
+for i in 1 2 3 4 5 6 7 8 9 0
+do
+ ret=1
+ $RNDCCMD 10.53.0.7 signing -list $zone > signing.out.test$n 2>&1
+ keys=$(grep '^Done signing' signing.out.test$n | wc -l)
+ [ $keys -eq 3 ] && ret=0 && break
+ sleep 1
+done
+# Switch secondary zone to NSEC3
+$RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1
+# Wait until secondary zone is fully signed using NSEC3
+for i in 1 2 3 4 5 6 7 8 9 0
+do
+ ret=1
+ nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone)
+ test "$nsec3param" = "1 0 2 12345678" && ret=0 && break
+ sleep 1
+done
+# Attempt to retransfer the secondary zone from primary
+$RNDCCMD 10.53.0.7 retransfer $zone
+# Check whether the signer managed to fully sign the retransferred zone by
+# waiting for a specific SOA serial number to appear in the logs; if this
+# specific SOA serial number does not appear in the logs, it means the signer
+# has either ran into an infinite loop or crashed; note that we check the logs
+# instead of sending SOA queries to the signer as these may influence its
+# behavior in a way which may prevent the desired scenario from being
+# reproduced (see comment in ns7/named.conf)
+for i in 1 2 3 4 5 6 7 8 9 0
+do
+ ret=1
+ grep "ns2.$zone. . 10 20 20 1814400 3600" ns7/named.run > /dev/null 2>&1
+ [ $? -eq 0 ] && ret=0 && break
+ sleep 1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "stop bump in the wire signer server ($n)"
+ret=0
+stop_server ns3 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "update SOA record while stopped"
+cp ns3/master4.db.in ns3/master.db
+rm ns3/master.db.jnl
+
+n=$((n + 1))
+echo_i "restart bump in the wire signer server ($n)"
+ret=0
+start_server --noclean --restart --port ${PORT} ns3 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "updates to SOA parameters other than serial while stopped are reflected in signed zone ($n)"
+ret=0
+for i in 1 2 3 4 5 6 7 8 9
+do
+ ans=0
+ $DIG $DIGOPTS @10.53.0.3 master SOA > dig.out.ns3.test$n
+ grep "hostmaster" dig.out.ns3.test$n > /dev/null || ans=1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
+ [ $ans = 1 ] || break
+ sleep 1
+done
+[ $ans = 0 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that reloading all zones does not cause zone maintenance to cease for inline-signed zones ($n)"
+ret=1
+# Ensure "rndc reload" attempts to load ns3/master.db by waiting 1 second so
+# that the file modification time has no possibility of being equal to
+# the one stored during server startup.
+sleep 1
+nextpart ns3/named.run > /dev/null
+cp ns3/master5.db.in ns3/master.db
+rndc_reload ns3 10.53.0.3
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ if nextpart ns3/named.run | grep "zone master.*sending notifies" > /dev/null; then
+ ret=0
+ break
+ fi
+ sleep 1
+done
+# Sanity check: file updates should be reflected in the signed zone,
+# i.e. SOA RNAME should no longer be set to "hostmaster".
+$DIG $DIGOPTS @10.53.0.3 master SOA > dig.out.ns3.test$n || ret=1
+grep "hostmaster" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that reloading errors prevent synchronization ($n)"
+ret=1
+$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.1 || ret=1
+sleep 1
+nextpart ns3/named.run > /dev/null
+cp ns3/master6.db.in ns3/master.db
+rndc_reload ns3 10.53.0.3
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ if nextpart ns3/named.run | grep "not loaded due to errors" > /dev/null
+ then
+ ret=0
+ break
+ fi
+ sleep 1
+done
+# Sanity check: the SOA record should be unchanged
+$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.2 || ret=1
+$DIFF dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check inline-signing with an include file ($n)"
+ret=0
+$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+sleep 1
+nextpart ns3/named.run > /dev/null
+cp ns3/master7.db.in ns3/master.db
+rndc_reload ns3 10.53.0.3
+_includefile_loaded() {
+ $DIG $DIGOPTS @10.53.0.3 f.master A > dig.out.ns3.test$n
+ grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || return 1
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || return 1
+ grep "10\.0\.0\.7" dig.out.ns3.test$n > /dev/null || return 1
+ return 0
+}
+retry_quiet 10 _includefile_loaded
+# Sanity check: the SOA record should be changed
+$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.2 || ret=1
+$DIFF dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "test add/del zone combinations ($n)"
+ret=0
+for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z
+do
+$RNDCCMD 10.53.0.2 addzone test-$zone \
+ '{ type primary; file "bits.db.in"; allow-transfer { any; }; };'
+$DIG $DIGOPTS @10.53.0.2 test-$zone SOA > dig.out.ns2.$zone.test$n
+grep "status: NOERROR," dig.out.ns2.$zone.test$n > /dev/null || { ret=1; cat dig.out.ns2.$zone.test$n; }
+$RNDCCMD 10.53.0.3 addzone test-$zone \
+ '{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };'
+$RNDCCMD 10.53.0.3 delzone test-$zone > /dev/null 2>&1
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing adding external keys to a inline zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n
+for alg in ${DEFAULT_ALGORITHM_NUMBER} ${ALTERNATIVE_ALGORITHM_NUMBER}
+do
+ [ $alg = 13 -a ! -f checkecdsa ] && continue;
+
+ case $alg in
+ 7) echo_i "checking NSEC3RSASHA1";;
+ 8) echo_i "checking RSASHA256";;
+ 13) echo_i "checking ECDSAP256SHA256";;
+ *) echo_i "checking $alg";;
+ esac
+
+ dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l)
+ rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l)
+ test ${dnskeys:-0} -eq 3 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; }
+ test ${rrsigs:-0} -eq 2 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; }
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing imported key won't overwrite a private key ($n)"
+ret=0
+key=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} import.example)
+cp ${key}.key import.key
+# import should fail
+$IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1
+rm -f ${key}.private
+# private key removed; import should now succeed
+$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1
+# now that it's an external key, re-import should succeed
+$IMPORTKEY -f import.key import.example > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing updating inline secure serial via 'rndc signing -serial' ($n)"
+ret=0
+$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n)
+$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
+retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing updating inline secure serial via 'rndc signing -serial' with negative change ($n)"
+ret=0
+$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n
+oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n)
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n)
+$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
+sleep 1
+$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.ns3.post.test$n
+serial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n)
+[ ${oldserial:-0} -eq ${serial:-1} ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+#
+# Freezing only operates on the raw zone.
+#
+n=$((n + 1))
+echo_i "testing updating inline secure serial via 'rndc signing -serial' when frozen ($n)"
+ret=0
+$DIG $DIGOPTS nsec3. SOA @10.53.0.3 > dig.out.n3.pre.test$n
+oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.n3.pre.test$n)
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.n3.pre.test$n)
+$RNDCCMD 10.53.0.3 freeze nsec3 > /dev/null 2>&1
+$RNDCCMD 10.53.0.3 signing -serial ${newserial:-0} nsec3 > /dev/null 2>&1
+$RNDCCMD 10.53.0.3 thaw nsec3 > /dev/null 2>&1
+retry_quiet 5 wait_for_serial 10.53.0.3 nsec3. "${newserial:-0}" dig.out.ns3.post1.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing updating dynamic serial via 'rndc signing -serial' ($n)"
+ret=0
+$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n)
+$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1
+retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-0}" dig.out.ns2.post.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing updating dynamic serial via 'rndc signing -serial' with negative change ($n)"
+ret=0
+$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n
+oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n)
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] - 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n)
+$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1
+retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1
+retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing updating dynamic serial via 'rndc signing -serial' when frozen ($n)"
+ret=0
+$DIG $DIGOPTS bits. SOA @10.53.0.2 > dig.out.ns2.pre.test$n
+oldserial=$(awk '$4 == "SOA" { print $7 }' dig.out.ns2.pre.test$n)
+newserial=$($PERL -e 'while (<>) { chomp; my @field = split /\s+/; printf("%u\n", $field[6] + 10) if ($field[3] eq "SOA"); }' < dig.out.ns2.pre.test$n)
+$RNDCCMD 10.53.0.2 freeze bits > /dev/null 2>&1
+$RNDCCMD 10.53.0.2 signing -serial ${newserial:-0} bits > /dev/null 2>&1
+$RNDCCMD 10.53.0.2 thaw bits > /dev/null 2>&1
+retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${newserial:-1}" dig.out.ns2.post1.test$n && ret=1
+retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post2.test$n || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing that inline signing works with inactive ZSK and active KSK ($n)"
+ret=0
+
+$DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.pre.test$n || ret=1
+soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n)
+
+$NSUPDATE << EOF
+server 10.53.0.2 ${PORT}
+update add added.inactivezsk 0 IN TXT added record
+send
+EOF
+
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ $DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.post.test$n || ret=1
+ soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n)
+ test ${soa1:-0} -ne ${soa2:-0} && break
+ sleep 1
+done
+test ${soa1:-0} -ne ${soa2:-0} || ret=1
+
+$DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1
+grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
+grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
+grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "testing that inline signing works with inactive KSK and active ZSK ($n)"
+ret=0
+
+$DIG $DIGOPTS @10.53.0.3 axfr inactiveksk > dig.out.ns3.test$n
+
+#
+# check that DNSKEY is signed with ZSK for default algorithm
+#
+awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }'
+zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
+ $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' )
+grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1
+awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }'
+kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
+ $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' )
+grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
+
+#
+# check that DNSKEY is signed with KSK for alternative algorithm
+#
+awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }'
+zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
+ $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' )
+grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1
+awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }'
+kskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
+ $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' )
+grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Wait until an update to the raw part of a given inline signed zone is fully
+# processed. As waiting for a fixed amount of time is suboptimal and there is
+# no single message that would signify both a successful modification and an
+# error in a race-free manner, instead wait until either notifies are sent
+# (which means the secure zone was modified) or a receive_secure_serial() error
+# is logged (which means the zone was not modified and will not be modified any
+# further in response to the relevant raw zone update).
+wait_until_raw_zone_update_is_processed() {
+ zone="$1"
+ for i in 1 2 3 4 5 6 7 8 9 10
+ do
+ if nextpart ns3/named.run | grep -E "zone ${zone}.*(sending notifies|receive_secure_serial)" > /dev/null; then
+ return
+ fi
+ sleep 1
+ done
+}
+
+n=$((n + 1))
+echo_i "checking that changes to raw zone are applied to a previously unsigned secure zone ($n)"
+ret=0
+# Query for bar.nokeys/A and ensure the response is negative. As this zone
+# does not have any signing keys set up, the response must be unsigned.
+$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A > dig.out.ns3.pre.test$n 2>&1 || ret=1
+grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1
+# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
+# log messages generated before the raw zone is updated.
+nextpart ns3/named.run > /dev/null
+# Add a record to the raw zone on the primary.
+$NSUPDATE << EOF || ret=1
+zone nokeys.
+server 10.53.0.2 ${PORT}
+update add bar.nokeys. 0 A 127.0.0.1
+send
+EOF
+wait_until_raw_zone_update_is_processed "nokeys"
+# Query for bar.nokeys/A again and ensure the signer now returns a positive,
+# yet still unsigned response.
+$DIG $DIGOPTS @10.53.0.3 bar.nokeys. A > dig.out.ns3.post.test$n 2>&1
+grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null || ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that changes to raw zone are not applied to a previously signed secure zone with no keys available (primary) ($n)"
+ret=0
+# Query for bar.removedkeys-primary/A and ensure the response is negative. As
+# this zone has signing keys set up, the response must be signed.
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.pre.test$n 2>&1 || ret=1
+grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1
+# Remove the signing keys for this zone.
+mv -f ns3/Kremovedkeys-primary* ns3/removedkeys
+# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
+# log messages generated before the raw zone is updated.
+nextpart ns3/named.run > /dev/null
+# Add a record to the raw zone on the primary.
+$NSUPDATE << EOF || ret=1
+zone removedkeys-primary.
+server 10.53.0.3 ${PORT}
+update add bar.removedkeys-primary. 0 A 127.0.0.1
+send
+EOF
+wait_until_raw_zone_update_is_processed "removedkeys-primary"
+# Query for bar.removedkeys-primary/A again and ensure the signer still returns
+# a negative, signed response.
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.post.test$n 2>&1
+grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that backlogged changes to raw zone are applied after keys become available (primary) ($n)"
+ret=0
+# Restore the signing keys for this zone.
+mv ns3/removedkeys/Kremovedkeys-primary* ns3
+$RNDCCMD 10.53.0.3 loadkeys removedkeys-primary > /dev/null 2>&1
+# Determine what a SOA record with a bumped serial number should look like.
+BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-primary.*IN.*SOA\)/\1/p;' ns3/named.run | tail -1 | awk '{$8 += 1; print $0}')
+# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
+# log messages generated before the raw zone is updated.
+nextpart ns3/named.run > /dev/null
+# Bump the SOA serial number of the raw zone.
+$NSUPDATE << EOF || ret=1
+zone removedkeys-primary.
+server 10.53.0.3 ${PORT}
+update del removedkeys-primary. SOA
+update ${BUMPED_SOA}
+send
+EOF
+wait_until_raw_zone_update_is_processed "removedkeys-primary"
+# Query for bar.removedkeys-primary/A again and ensure the signer now returns a
+# positive, signed response.
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-primary. A > dig.out.ns3.test$n 2>&1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that changes to raw zone are not applied to a previously signed secure zone with no keys available (secondary) ($n)"
+ret=0
+# Query for bar.removedkeys-secondary/A and ensure the response is negative. As this
+# zone does have signing keys set up, the response must be signed.
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.pre.test$n 2>&1 || ret=1
+grep "status: NOERROR" dig.out.ns3.pre.test$n > /dev/null && ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1
+# Remove the signing keys for this zone.
+mv -f ns3/Kremovedkeys-secondary* ns3/removedkeys
+# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
+# log messages generated before the raw zone is updated.
+nextpart ns3/named.run > /dev/null
+# Add a record to the raw zone on the primary.
+$NSUPDATE << EOF || ret=1
+zone removedkeys-secondary.
+server 10.53.0.2 ${PORT}
+update add bar.removedkeys-secondary. 0 A 127.0.0.1
+send
+EOF
+wait_until_raw_zone_update_is_processed "removedkeys-secondary"
+# Query for bar.removedkeys-secondary/A again and ensure the signer still returns a
+# negative, signed response.
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.post.test$n 2>&1
+grep "status: NOERROR" dig.out.ns3.post.test$n > /dev/null && ret=1
+grep "RRSIG" dig.out.ns3.pre.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that backlogged changes to raw zone are applied after keys become available (secondary) ($n)"
+ret=0
+# Restore the signing keys for this zone.
+mv ns3/removedkeys/Kremovedkeys-secondary* ns3
+$RNDCCMD 10.53.0.3 loadkeys removedkeys-secondary > /dev/null 2>&1
+# Determine what a SOA record with a bumped serial number should look like.
+BUMPED_SOA=$(sed -n 's/.*\(add removedkeys-secondary.*IN.*SOA\)/\1/p;' ns2/named.run | tail -1 | awk '{$8 += 1; print $0}')
+# Ensure the wait_until_raw_zone_update_is_processed() call below will ignore
+# log messages generated before the raw zone is updated.
+nextpart ns3/named.run > /dev/null
+# Bump the SOA serial number of the raw zone on the primary.
+$NSUPDATE << EOF || ret=1
+zone removedkeys-secondary.
+server 10.53.0.2 ${PORT}
+update del removedkeys-secondary. SOA
+update ${BUMPED_SOA}
+send
+EOF
+wait_until_raw_zone_update_is_processed "removedkeys-secondary"
+# Query for bar.removedkeys-secondary/A again and ensure the signer now returns
+# a positive, signed response.
+$DIG $DIGOPTS @10.53.0.3 bar.removedkeys-secondary. A > dig.out.ns3.test$n 2>&1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# Check that the file $2 for zone $1 does not contain RRSIG records
+# while the journal file for that zone does contain them.
+ensure_sigs_only_in_journal() {
+ origin="$1"
+ masterfile="$2"
+ $CHECKZONE -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null && ret=1
+ $CHECKZONE -j -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null || ret=1
+}
+
+n=$((n + 1))
+echo_i "checking that records added from a journal are scheduled to be resigned ($n)"
+ret=0
+# Signing keys for the "delayedkeys" zone are not yet accessible. Thus, the
+# zone file for the signed version of the zone will contain no DNSSEC records.
+# Move keys into place now and load them, which will cause DNSSEC records to
+# only be present in the journal for the signed version of the zone.
+mv Kdelayedkeys* ns3/
+$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1
+# Wait until the zone is signed.
+check_done_signing () (
+ $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1
+ num=$(grep "Done signing with" signing.out.test$n | wc -l)
+ [ $num -eq 2 ]
+)
+retry_quiet 10 check_done_signing || ret=1
+# Halt rather than stopping the server to prevent the file from being
+# flushed upon shutdown since we specifically want to avoid it.
+stop_server --use-rndc --halt --port ${CONTROLPORT} ns3
+ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed
+start_server --noclean --restart --port ${PORT} ns3
+# At this point, the raw zone journal will not have a source serial set. Upon
+# server startup, receive_secure_serial() will rectify that, update SOA, resign
+# it, and schedule its future resign. This will cause "rndc zonestatus" to
+# return delayedkeys/SOA as the next node to resign, so we restart the server
+# once again; with the raw zone journal now having a source serial set,
+# receive_secure_serial() should refrain from introducing any zone changes.
+stop_server --use-rndc --halt --port ${CONTROLPORT} ns3
+ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed
+nextpart ns3/named.run > /dev/null
+start_server --noclean --restart --port ${PORT} ns3
+# We can now test whether the secure zone journal was correctly processed:
+# unless the records contained in it were scheduled for resigning, no resigning
+# event will be scheduled at all since the secure zone file contains no
+# DNSSEC records.
+wait_for_log 20 "all zones loaded" ns3/named.run || ret=1
+$RNDCCMD 10.53.0.3 zonestatus delayedkeys > rndc.out.ns3.post.test$n 2>&1 || ret=1
+grep "next resign node:" rndc.out.ns3.post.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that zonestatus reports 'type: primary' for an inline primary zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 zonestatus master > rndc.out.ns3.test$n
+grep "type: primary" rndc.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that zonestatus reports 'type: secondary' for an inline secondary zone ($n)"
+ret=0
+$RNDCCMD 10.53.0.3 zonestatus bits > rndc.out.ns3.test$n
+grep "type: secondary" rndc.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking reload of touched inline zones ($n)"
+ret=0
+echo_ic "pre-reload 'next key event'"
+nextpart ns8/named.run > nextpart.pre$n.out
+count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l)
+echo_ic "found: $count/16"
+[ $count -eq 16 ] || ret=1
+echo_ic "touch and reload"
+touch ns8/example??.com.db
+$RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 5
+echo_ic "post-reload 'next key event'"
+nextpart ns8/named.run > nextpart.post$n.out
+count=$(grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l)
+echo_ic "found: $count/16"
+[ $count -eq 16 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking second reload of touched inline zones ($n)"
+ret=0
+nextpart ns8/named.run > nextpart.pre$n.out
+$RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 5
+nextpart ns8/named.run > nextpart.post$n.out
+grep "ixfr-from-differences: unchanged" nextpart.post$n.out && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n+1))
+echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)"
+ret=0
+dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa1 || ret=1
+cp ns8/example2.db.in ns8/example.db || ret=1
+nextpart ns8/named.run > /dev/null
+rndccmd 10.53.0.8 reload || ret=1
+wait_for_log 3 "all zones loaded" ns8/named.run
+sleep 1
+dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa2 || ret=1
+soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa1)
+soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa2)
+ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa1)
+ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa2)
+test ${soa1:-1000} -lt ${soa2:-0} || ret=1
+test ${ttl1:-0} -eq 300 || ret=1
+test ${ttl2:-0} -eq 300 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "Check that restart with zone changes and deleted journal works ($n)"
+TSIG=
+ret=0
+dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa1 || ret=1
+stop_server --use-rndc --port ${CONTROLPORT} ns8
+# TTL of all records change from 300 to 400
+cp ns8/example3.db.in ns8/example.db || ret=1
+rm ns8/example.db.jnl
+nextpart ns8/named.run > /dev/null
+start_server --noclean --restart --port ${PORT} ns8
+wait_for_log 3 "all zones loaded" ns8/named.run
+sleep 1
+dig_with_opts @10.53.0.8 example SOA > dig.out.ns8.test$n.soa2 || ret=1
+soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa1)
+soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns8.test$n.soa2)
+ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa1)
+ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns8.test$n.soa2)
+test ${soa1:-1000} -lt ${soa2:-0} || ret=1
+test ${ttl1:-0} -eq 300 || ret=1
+test ${ttl2:-0} -eq 400 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/inline/tests_signed_zone_files.py b/bin/tests/system/inline/tests_signed_zone_files.py
new file mode 100755
index 0000000..596b756
--- /dev/null
+++ b/bin/tests/system/inline/tests_signed_zone_files.py
@@ -0,0 +1,67 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import glob
+import struct
+
+
+class RawFormatHeader(dict):
+ """
+ A dictionary of raw-format header fields read from a zone file.
+ """
+
+ fields = [
+ "format",
+ "version",
+ "dumptime",
+ "flags",
+ "sourceserial",
+ "lastxfrin",
+ ]
+
+ def __init__(self, file_name):
+ header = struct.Struct(">IIIIII")
+ with open(file_name, "rb") as data:
+ header_data = data.read(header.size)
+ super().__init__(zip(self.fields, header.unpack_from(header_data)))
+
+
+def test_unsigned_serial_number():
+ """
+ Check whether all signed zone files in the "ns8" subdirectory contain the
+ serial number of the unsigned version of the zone in the raw-format header.
+ The test assumes that all "*.signed" files in the "ns8" subdirectory are in
+ raw format.
+
+ Notes:
+
+ - The actual zone signing and dumping happens while the tests.sh phase of
+ the "inline" system test is set up and run. This check only verifies
+ the outcome of those events; it does not initiate any signing or
+ dumping itself.
+
+ - example[0-9][0-9].com.db.signed files are initially signed by
+ dnssec-signzone while the others - by named.
+ """
+
+ zones_with_unsigned_serial_missing = []
+
+ for signed_zone in sorted(glob.glob("ns8/*.signed")):
+ raw_header = RawFormatHeader(signed_zone)
+ # Ensure the unsigned serial number is placed where it is expected.
+ assert raw_header["format"] == 2
+ assert raw_header["version"] == 1
+ # Check whether the header flags indicate that the unsigned serial
+ # number is set and that the latter is indeed set.
+ if raw_header["flags"] & 0x02 == 0 or raw_header["sourceserial"] == 0:
+ zones_with_unsigned_serial_missing.append(signed_zone)
+
+ assert not zones_with_unsigned_serial_missing